Serious Vulnerability in Microsoft Remote Desktop

Background

On March 13, 2012, Microsoft released Advisory 2671387[1] which stated
that Microsoft has fixed a vulnerability in Microsoft Remote Desktop
Protocol (RDP) that if exploited could grant complete control to an
attacker.

Impact

On a computer running Microsoft Remote Desktop in a default
configuration, an attacker without credentials can send a specially
crafted sequence of data to the computer and gain complete control
of the vulnerable computer.

Platforms Affected

This affects all supported versions of Microsoft Windows.

Observations

By default, RDP uses TCP port 3389.  This port is open at the
University and is continually scanned by attackers.  Normally the
attackers are attempting to guess a valid username and password on
the machine.  ITS Security Operations and Services Office has not
observed a major increase in traffic as of March 16, 2012.

However, as of March 16, 2012, a bounty of almost $1500 USD has been offered
for a working exploit[2]. While SOS believes attackers attempt to
develop exploits after every vulnerability announcement, this
vulnerability is of particular concern because a working exploit could turn into
a self spreading worm that infects all unprotected Windows systems
running Remote Desktop.

Recommendations

Microsoft Security Bulletin MS12-020 included a patch that should be
applied as soon as possible.  Microsoft expects working exploits to
be in use within weeks (if not sooner).

Workarounds

The suggestions below will not fix the underlying vulnerabilty, but
provide defense in depth against possible attacks.  Detailed
explanations of each workaround can be found in the Microsoft
Bulletin MS12-020[1].

Disable Remote Desktop

   Best practice is to disable unnecessary services on a machine.
If Remote Desktop is not needed, disable it.

Limit Access to TCP Port 3389 via a Firewall

   Only allow connections from trusted IP ranges.  For example, limit
TCP 3389 to only the University and require users to connect to the
University VPN service before using RDP.

Enable Network Level Authentication on Modern Windows Systems

   If you only use Windows Vista, Windows 7, Server 2008, and Server
2008 R2, as RDP clients, you can enable Network Level Authentication
and force a user to authenticate before being allowed to use RDP.

Further Reading

   CVE-2012-0002: A closer look at MS12-020\’s critical issue[3]
   Strength, flexibility and the March 2012 security bulletins[4]

[1] http://technet.microsoft.com/en-us/security/bulletin/ms12-020
[2] http://blog.spiderlabs.com/2012/03/the-race-for-ms12-020.html
[3] http://blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx
[4] http://blogs.technet.com/b/msrc/archive/2012/03/13/strength-flexibility-and-the-march-2012-security-bulletins.aspx

More information: Serious Vulnerability in Microsoft Remote Desktop

Story added 17. March 2012, content source with full text you can find at link above.